Is GitHub Copilot safe for work?
Medium risk · 25GitHub (Microsoft) · Coding · facts (medium-confidence)
GitHub Copilot is medium-risk for default at-work use (25/100): it trains on your data unless you opt out, and holds SOC 2 Type II.
25
Medium risk
Watch out: On individual (free/Pro) plans, code snippets can be retained and used for model improvement unless opted out, so developers on personal accounts may expose proprietary code.
Data and compliance facts
- Trains on consumer-tier data
- Opt-out
- Trains on business-tier data
- No
- Training opt-out available
- Yes
- SOC 2 Type II
- Yes
- ISO 27001
- Yes
- ISO 42001 (AI management)
- Unverified
- GDPR Data Processing Addendum
- Yes
- HIPAA BAA
- Unverified
- EU data residency
- Unverified
- SSO / SAML
- Yes
- Data retention
- Business/Enterprise: prompts and suggestions are not retained (transient); user engagement data kept ~24 months. Individual: prompts retained ~28 days for the code-completion service.
- Safer tier
- GitHub Copilot Business / Copilot Enterprise
Why it scores 25 out of 100
- +14Trains on your data unless you opt out. Training is on by default on the consumer tier; you must find and toggle the opt-out.
- +6No EU data residency. Data cannot be guaranteed to stay in the EU.
- +5No HIPAA BAA. No Business Associate Agreement, so do not use it with protected health information.